Title: EGI SVG Advisory [TLP:WHITE] CRITICAL risk CVE-2016-4303 in iperf3 in
Perfsonar [EGI-SVG-CVE-2016-4303]
Date: 2016-06-13
Updated:
Affected software and risk
==========================
CRITICAL risk vulnerability concerning iperf3 used in perfSONAR
Package : iperf3 (used in perfSONAR)
CVE ID : CVE-2016-4303
A buffer overflow vulnerability has been found for which there a lot of public
information, which allows an unauthenticated remote attack on the service.
Actions required/recommended
============================
Sites running perfSONAR are required to urgently install a non-vulnerable
version of iperf3 if they have not done so already.
All running resources MUST be either patched or have software removed by
2016-06-21 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
Affected software details
=========================
versions iperf-3.1.2 and earlier are affected
versions iperf-3.0.11 and earlier are affected
fixed in versions iperf-3.1.3, iperf-3.0.12
More information
================
It is probably difficult to do more than a DoS, but since a more serious attack
cannot be ruled out EGI SVG has assessed this vulnerability as 'Critical'.
Many sites are likely to have automatically updated.
More information is available at [R 1], [R 2]
Most people who run perfSONAR should have received this note already anyway:--
An important security fix to iperf3. It is highly recommended all perfSONAR
users update to iperf3 version 3.1.3 as soon as possible. If you are running
auto-updates you should get the new version within the next 24-48 hours (if not
already) depending on how quickly mirrors update. If you are not running
auto-updates, you may run “yum update iperf3” on CentOS/RedHat or "apt-get
update && apt-get upgrade iperf3" on Debian/Ubuntu. If you don’t see the
update yet, please be patient as the packages were just uploaded prior to the
sending of this note and the mirrors need time to sync.
Though everyone should update as soon as possible, it should be stated that the
way in which the average perfSONAR box executes iperf3 should limit the
severity of any potential attacks from this vulnerability in the following
ways:
- In the perfSONAR use case, the iperf3 client and server processes are started
- by the BWCTL command as an
unprivileged ‘bwctl’ user. This limits the types of things an attacker can do
on the system. Likely they could interrupt the iperf3 process, but it is not
clear they could do much else on a properly configured host.
- BWCTL only runs iperf3 for a few seconds at a time and then closes the
- connection, minimizing the time window
in which things may be vulnerable. This is further minimized by the fact that
the vulnerability only exists during the exchange of test parameters and not
other parts of the protocol exchange (such as when the test is running and
results are reported).
Regardless of these facts though, the best course of action is to update as
soon as you can to eliminate the vulnerability entirely.
Once again, for further details see the official announcement from the iperf3
project shown below. Also let us know if you have any further questions
regarding how this may affect your perfSONAR box.
Thank you,
The perfSONAR Development Team
On June 8, 2016 at 3:02:59 PM, Bruce Mah (bmah@es.net<mailto:bmah@es.net>) wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ESnet Software Security Advisory
ESNET-SECADV-2016-0001
Topic: iperf3 JSON parsing vulnerability
Issued: 8 June 2016
Credits: Dave McDaniel, Cisco Talos
Affects: iperf-3.1.2 and earlier,
iperf-3.0.11 and earlier
Corrected: iperf-3.1.3, iperf-3.0.12
Cross-references: TALOS-CAN-0164, CVE-2016-4303
I. Background
iperf3 is a utility for testing network performance using TCP, UDP, and SCTP,
running over IPv4 and IPv6. It uses a client/server model, where a client and
server communicate the parameters of a test, coordinate the start and end of
the test, and exchange results. This message exchange takes place over a TCP
control connection, and relies on a modified version of the open-source cjson
library for rendering and parsing the various messages in JSON.
II. Problem Description
A bug exists in the way that the included version of the cjson library handles
Unicode literals in JSON string constants. A malformed Unicode literal can
cause a process parsing a block of JSON to overwrite a pre-allocated buffer in
the heap. Note that this bug has already been fixed in recent versions of
cjson.
III. Impact
A malicious process can connect to an iperf3 server and, by sending a malformed
message on the control channel, corrupt the server process's heap area. This
can lead to a crash (and a denial of service), or theoretically a remote code
execution as the user running the iperf3 server. A malicious iperf3 server
could potentially mount a similar attack on an iperf3 client.
iperf2, an older version of the iperf utility, uses a different model of
interaction between client and server, and is not affected by this issue.
IV. Workaround
There is no workaround for this issue, however as best practice dictates,
iperf3 should not be run with root privileges, to minimize possible impact.
V. Solution
Update iperf3 to a version containing the fix. On the 3.1 release train,
versions 3.1.3 and later contain the fix. On the 3.0 release train, versions
3.0.12 and later contain the fix.
Because iperf3 incorporates a modified version of the cjson library, it is
necessary to explicitly update iperf3 to fix this issue, separately from any
other installation of cjson (if present).
VI. Correction details
The bug causing this vulnerability has been fixed by the following commits in
the esnet/iperf3 Github repository:
master ed94082be27d971a5e1b08b666e2c217cf470a40 3.1-STABLE
f01a9ca8f7e878e438a53687dabe30b7f7222912 3.0-STABLE
91f2fa59e8ed80dfbf400add0164ee0e508e412a,
7856eb935d511ddb5b5c7d431d1056c9daff0a2a
All released versions of iperf3 issued on or after the date of this advisory
incorporate the fix.
Mitigation
==========
N/A
Component installation information
==================================
See More information above above
TLP and URL
===========
** WHITE information - Unlimited distribution allowed - see
https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2016-4303
Minor updates may be made without re-distribution to the sites
Credit
======
SVG was alerted to this vulnerability by Duncan Rand
References
==========
[R 1] http://stats.es.net/ServicesDirectory/
[R 2] http://www.talosintel.com/reports/TALOS-2016-0164/
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-11234]
2016-06-09 SVG alerted to this issue by Duncan Rand
2016-06-09 Acknowledgement from the EGI SVG to the reporter
2016-06-09 Updated packages available
2016-06-10 EGI SVG Risk Assessment completed
2016-06-13 Advisory/Alert sent to sites
2016-06-13 Advisory placed on the SVG wiki
On behalf of the EGI SVG,